Improper Access Control in lunary-ai/lunary
Description
An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An improper access control flaw in lunary-ai/lunary lets attackers reuse invite tokens to reset passwords and achieve full account takeover.
Vulnerability
Overview An improper access control vulnerability in lunary-ai/lunary at the latest commit (a761d83) allows an attacker to misuse auth tokens generated by the 'invite user' functionality. The attacker can invite a target email address, obtain a one-time use token from the invitation link, then retract the invite while retaining the token. This token can later be used to obtain a valid JWT token for the target user [1][2].
Attack
Vector No prior authentication is required for the initial steps; the attacker only needs the target's email address. After retracting the invitation, the token is no longer tied to the original invite but can still be processed by the system. The attacker then leverages the token to reset the target user's password, thereby taking over their account upon registration with an arbitrary organization [1][2].
Impact
Successful exploitation results in full account compromise of the target user. Since the attack circumvents normal access controls, the attacker can gain unauthorized access to any data or functionality associated with the victim's account within the lunary platform [1][2].
Mitigation
As of publication, no patch has been released for this vulnerability. Users and administrators of lunary-ai/lunary should monitor for updates from the vendor and consider restricting invitation functionality to trusted domains until a fix is available [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lunarynpm | < 1.4.9 | 1.4.9 |
Affected products
2- lunary-ai/lunary-ai/lunaryv5Range: unspecified
Patches
1844e8855c7a7Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.